U.S. Department of the Interior Office of Inspector General AUDIT REPORT GENERAL CONTROL ENVIRONMENT OF THE FEDERAL FINANCIAL SYSTEM AT THE RESTON GENERAL PURPOSE COMPUTER CENTER, U.S. GEOLOGICAL SURVEY REPORT NO. 97-I-98 OCTOBER 1996
United States Department of the Interior OFFICE OF INSPECTOR GENERAL Washington, D.C. 20240 MEMORANDUM TO: FROM: SUBJECT SUMMARY: Final Audit Report for Your Information - General Control Environment of the Federal Financial System at the Reston General Purpose Computer Center, U.S. Geological Survey (No. 97-I-98) Attached for your information is a copy of the subject final audit report. This report presents a summary of the draft audit report Stronger Controls Needed Over The Data Processing Environment At The U.S. Geological Survey, Reston General Purpose Computer Center, issued by the Office of Inspector General, U.S. House of Representatives, on September 3, 1996. We were informed by the House s Office of Inspector General that the information presented in this draft report is the same information that will be presented in their final audit report. The objective of the audit was to evaluate the effectiveness of the general control environment surrounding the Federal Financial System and the processing of financial data for the House. The House Office of Inspector General s audit report identified 42 weaknesses and made 70 recommendations for corrective actions to the U.S. Geological Survey and one recommendation for corrective action to both the Geological Survey and the House s Chief Administrative Officer. The report identified weaknesses in data center management and operations; mainframe computer system physical and logical security; telecommunications security; protection of the local area network from unauthorized access and use; and contingency planning, including backup procedures for preventing data loss and for the recovery of data in case of a disaster. The Geological Survey and House management worked collaboratively with our office, the House s Office of Inspector General, and the contracted auditing team that performed the review to resolve key issues. As a result of this collaborative effort, the Geological Survey was able to take immediate corrective actions to resolve the deficiencies that could have adversely impacted the integrity and security of the processing of the House s financial data on the Federal Financial System. The Geological Survey concurred with or proposed alternative recommendations for each of the report s recommendations. Based on the response, we considered 13 recommendations implemented and 58 recommendations resolved but not implemented.
If you have any questions concerning this matter, please contact meat (202) 208-5745 or Mr. Robert J. Williams, Acting Assistant Inspector General for Audits, at (202) 208-4252. Attachment
United States Department of the Interior OFFICE OF THE INSPECTOR GENERAL Washington, D.C. 20240 H-IN-GSV-001-96 Memorandum AUDIT REPORT To: From: Subject: Assistant Secretary - Water and Science Acting Assistant Inspector General for Audits Audit Report on the General Control Environment of the Federal Financial System at the Reston General Purpose Computer Center, U.S. Geological Survey (No. 97-I-98) INTRODUCTION This report presents a synopsis of the draft audit report Stronger Controls Needed Over The Data Processing Environment At The U.S. Geological Survey, Reston General Purpose Computer Center, issued by the Office of Inspector General, U.S. House of Representatives, on September 3, 1996. The audit, which was coordinated through our office, was conducted by Price Waterhouse, LLP, under contract to the House s Office of Inspector General. We are issuing this report because we are the cognizant audit agency for the U.S. Geological Survey and because we want to ensure that the recommendations contained in this report are included in our audit recommendation tracking system. The objective of the audit was to evaluate the effectiveness of the general control environment surrounding the Federal Financial System and the processing of financial data for the House. BACKGROUND The Washington Administrative Service Center was established in 1987, within the Geological Survey, to direct the Department of the Interior s efforts to standardize administrative systems. As part of this effort, the Geological Survey purchased the Federal Financial System from American Management Systems, Inc., in 1987. The Service Center leases computer space from the Geological Survey s General Purpose Computer Center to operate the Federal Financial System on the Computer Center s mainframe computer. The system license purchased by the Geological Survey allows it to provide services to Federal agencies outside of the Department of the Interior. As such, the Geological Survey is able to provide the Federal Financial System as an interim financial management system to the U.S. House of Representatives. On August 3, 1995, the Committee on House Oversight, U.S. House of Representatives,
passed a resolution mandating the implementation of a new financial management system for House financial operations. The resolution required that the Chief Administrative Officer, in consultation with the House s Office of Inspector General, implement the system. In September 1995, the Chief Administrative Officer entered into an agreement with the Geological Survey to provide, on an interim basis, the Geological Survey s Federal Financial System for the processing of the House s financial data. The House s Office of Inspector General determined that a review of the general control environment of the Federal Financial System was necessary to ensure the integrity and security of the financial information to be processed on the system. As a result, a contract was awarded to Price Waterhouse, LLP, in March 1996 to perform a review of the policies and general controls of operations of the Geological Survey s Federal Financial System at the General Purpose Computer Center in Reston, Virginia. SCOPE OF AUDIT Direction for and oversight of the contracted audit were provided by the House s Office of Inspector General, which coordinated with our office throughout the review. The contracted audit was made in accordance with the Government Auditing Standards, issued by the Comptroller General of the United States. Accordingly, the audit included such tests of records and other auditing procedures that were considered necessary under the circumstances. The audit was performed from March through May 1996 at the General Purpose Computer Center. The contracted audit included a review of the integrity, confidentiality, and availability of information resources for processing the House s financial data. The evaluation focused on general controls, including the following: user authentication; prevention of the system and data from unauthorized access, modification, and destruction; contingency plans in case of system destruction; and the backup and recoverability of data, systems, and telecommunications in case operations are disrupted. To perform this review, the contractor performed the following tasks: - Documentation was obtained from and interviews were conducted with officials responsible for system operations. - Control techniques consistent with data security standards based on current industry standards and Government guidelines were identified. - An understanding of the computing and internal controls related to system data, including data integrity, security, and availability, was obtained. - Key management controls and internal controls were assessed and tested. 2
- Third-party audit and security software tools were used to perform automated testing techniques. In addition, computer and information systems audit guidelines were used in evaluating the effectiveness of the Computer Center s management and operations. As part of the review, the internal controls related to the integrity, confidentiality, and availability of the mainframe computer were evaluated. The contracted audit disclosed internal control weaknesses related to the operating system, system access, security program and functions, network controls, and business continuity planning. These weaknesses are discussed in the Results of Audit section of this report. The recommendations, if implemented, should improve controls in these areas. PRIOR AUDIT COVERAGE The General Accounting Office had not issued any reports relating to operations of the Computer Center or its Federal Financial System. Our office, however, has issued one report during the past 5 years relating to the Geological Survey s Federal Financial System. The September 1992 report Implementation of the Federal Financial System, U.S. Geological Survey (No. 92-1-14 18) stated that the Federal Financial System had not been implemented effectively and did not meet the requirements contained in the Joint Financial Management Improvements Program s Core Financial System Requirements. These conditions occurred, according to the report, because the Geological Survey did not comply with Office of Management and Budget and Departmental guidelines for establishing and maintaining an integrated financial management system. The report also identified inadequate physical security at the Reston Automated Data Processing Facility. The Geological Survey generally agreed with our 19 recommendations and initiated actions to correct the deficiencies identified. RESULTS OF AUDIT The House Office of Inspector General s audit report identified 42 weaknesses and made 70 recommendations for corrective actions to the Geological Survey and one recommendation for corrective action to both the Geological Survey and the House s Chief Administrative Officer. The report stated that the Geological Survey s General Purpose Computer Center had operational internal controls that were inadequate. Specifically, weaknesses existed in data center management and operations; mainframe computer system physical and logical security; telecommunications security; protection of the local area network from unauthorized access and use; and contingency planning, including backup procedures for preventing data loss and for the recovery of data in case of a disaster. The Office of Management and Budget and the National Institutes of Standards and Technology have 3
issued numerous directives, policies, and guidelines requesting that Federal agencies establish and implement computer security and controls to improve the safeguarding of sensitive information in Federal agencies computer systems. However, the Computer Center did not fully comply with these criteria because it did not: establish certain formal data center policies, standards, and procedures; segregate duties adequately; comply with vendor guidelines for system operations; and develop a formal and comprehensive data security program. Consequently, the Computer Center was susceptible to: unauthorized system access and data modification; errors and omissions during system start up and processing; and unauthorized facility or system access, which could lead to theft or destruction of hardware, software, and information. The control deficiencies noted in each of the functional aspects are summarized in the following paragraphs. Computer Center Management and Operations The House s September 3 report identified 8 weaknesses and made 17 recommendations regarding the Computer Center s management and operations. The report stated that the Computer Center had weaknesses in its management and operations that posed significant risks to computer system availability, confidentiality, and reliability. These problems included the following: - Inconsistent and inadequate security background checks and clearances for Computer Center government and contractor employees. - Poor controls over access to key support systems, such as the Internet, DOINET, and local area networks. - Inadequate and inconsistently used software program change control procedures. - Inadequate problem-resolution procedures. - Lack of control over the labeling and distribution of sensitive computer-generated printouts. Mainframe Computer System Physical and Logical Security The House s September 3 report identified 20 weaknesses and made 32 recommendations regarding the Computer Center s physical and logical security of its mainframe systems. The report stated that the Computer Center did not comply with vendor guidelines and generally accepted industry practices in administering and implementing operating system 4
and access security software controls on its mainframe computer. Some of these deficiencies included: - Improper controls over critical operating system components, such as system start-up parameters and options and the authorized program facility. - Unrestricted access to and use of powerful system programs, such as the Customer Information Control System transaction utility programs. - Inadequate controls over system programmer access to terminals capable of acting as the master console terminal. - Inadequate software change control procedures over modifications made to the Customer Information Control System environment. - Improper installation of and controls over security access control software. - Improper controls over programmers and separated/termninated employees. Telecommunications Security The House s September 3 report identified one weakness and made two recommendations regarding the Computer Center s telecommunications security. The report stated that unrestricted user access through the Internet posed integrity and security risks to internal systems such as the mainframe computer and certain local area networks. Local Area Network Protection The House s September 3 report identified 10 weaknesses and made 17 recommendations regarding the Computer Center s local area network protection. The report stated that the Geological Survey did not provide proper controls in administering and managing its local area networks, which are connected to the mainframe computer that processes Federal Financial System data. Problems related to the local area networks included the following: - Inconsistent management and administration practices between three local area network servers. - Improper controls over passwords on and general access to a particular local area network. - Inadequate controls over powerful access privileges (supervisor privileges) to the local area network. 5
- Lack of procedures for monitoring local area network access and usage. - Incomplete and untested contingency, data backup, and data recovery in case of disaster plans to ensure the timely recovery and resumption of operations. - Inadequate physical security controls to safeguard key network computer hardware. - Inconsistent requirements for installing and using virus detection software on fileservers and workstations. Contingency Planning, Backup, and Disaster Recovery The House s September 3 report identified three weaknesses and made three recommendations regarding the Computer Center s contingency planning, backup, and disaster recovery procedures. The report stated that the Computer Center s contingency planning, data backup, and disaster-recovery procedures for the Federal Financial System mainframe computer were inadequate and did not allow for complete business resumption. Corrective Actions The Geological Survey and House management worked collaboratively with our office, the House s Office of Inspector General, and the contracted auditing firm to resolve key issues. As a result of this collaborative effort, the Geological Survey was able to take immediate corrective actions to resolve the deficiencies that could have adversely impacted the integrity and security of the processing of the House s financial data on the Federal Financial System. Geological Survey management also initiated efforts to correct the other deficiencies identified, which were important to the overall integrity and security of data center operations. In its report, the House s Office of Inspector General stated that it believed that the actions taken and the continuing commitment demonstrated by Geological Survey management to resolve the deficiencies identified has greatly reduced the risk to the Computer Center s processing environment. U.S. Geological Survey Response and Office of Inspector General Reply The Director, U.S. Geological Survey, responded to the House s draft report on August 20, 1996. Based on this response, we considered 13 recommendations implemented and 58 recommendations resolved but not implemented. The unimplemented recommendations will be referred to the Assistant Secretary for Policy, Management and Budget for tracking of implementation (see the Appendix). The legislation, as amended, creating the Office of Inspector General requires semiannual reporting to the Congress on all audit reports issued, actions taken to implement audit 6
recommendations, and identification of each significant recommendation on which corrective action has not been taken. We appreciate the assistance of U.S. Geological Survey personnel in the conduct of this audit.
STATUS OF AUDIT REPORT RECOMMENDATIONS 1 APPENDIX Finding/Recommendation Reference Status Action Required 3E, 7B, 10A, 10B, Implemented. No further action is 13A, 15A, 15B, 18,22, required. 23,25,41, and 42 1A, lb, 2, 3A, 3B, 3C, 3D, 4, 5A, 5B, 5C, 6A, 6B, 8A, 8B, 9A, 9B, 9C, 11A, 11B, 11C, 12, 13B, 14A, 14B, 14C, 16 17, 19, 20A, 20B, 20C, 21 24A, 24B, 26,27,28, 29A, 29B, 30A, 30B, 31A, 31B, 32A, 32B, 33A, 33B, 33C, 33D, 34,35, 36A, 36B, 37,38 39, and 40 Resolved; not implemented. No further response to the Department of the Interior Office of Inspector General is required. The recommendations will be referred to the Assistant Secretary for Policy, Management and Budget for tracking of implementation. l From audit report Stronger Controls Needed Over The Data Processing Environment At The U.S. Geological Survey, Reston General Purpose Computer Center, dated September 3, 1996. 8
SHOULD BE REPORTED TO THE OFFICE OF INSPECTOR GENERAL BY: Sending written documents to: Calling: Within the Continental United States U.S. Departmnent of the Interior Our 24-hour Office of Inspector General Telephone HOTLINE 1550 WiIson Boulevard 1-800-424-5081 or Suite 402 (703) 235-9399 Arlington. Virginia 22210 TDD for hearing impaired (703) 235-9403 or 1-800-354-0996 Outside the Continental United States U.S. Department of the Interior (703) 235-9221 Office of Inspector General Eastern Division - Investigations 1550 Wilson Boulevard Suite 410 Arlington, Virginia 22209 U.S. Department of the Interior (700) 550-7279 or Office of Inspector General COMM 9-011-671-472-7279 North Pacific Region 238 Archbishop F.C. Flores Street Suite 807, PDN Building Agana, Guam 96910
HOTLINE